Penetration testing

PowerShell for pentesters part 1: Introduction to PowerShell and Cmdlets

Kondah Hamza
June 13, 2018 by
Kondah Hamza

PowerShell represents one of the most interesting and powerful languages for a pentesting purpose.

FREE role-guided training plans

FREE role-guided training plans

Get 12 cybersecurity training plans — one for each of the most common roles requested by employers.

So, we will try to focus on this context with this suite of articles.

This article represents the first one of the lab series about PowerShell for pentesters when we will begin by discovering the basics that we need to perform pentesting tasks using PowerShell.

What PowerShell will represent for us?

Microsoft defines PowerShell as the following :

"PowerShell® is a task-based command-line shell and scripting language designed especially for system administration. Built on the .NET Framework, Windows PowerShell helps IT professionals and power users control and automate the administration of the Windows operating system and applications that run on Windows."

But, for us, as pentesters, PowerShell represent a powerful shell and scripting language which is present (in most cases from windows 7, it's integrated by default) on our pentest targets and provide to us specially a powerful post-exploitation "tool/language" that can give us so much power and a very big attack surface/possibility.

PowerShell provides us many aspects that make it perfect for a pentesting context like :

  • Easy to learn
  • Based on .Net Framework
  • Trusted by the OS
  • Provide access almost to everything in the Window based Operating Systems!
  • Integrated by default from Windows 7
  • Object Oriented
  • Scripting interface with ISE

And this why we use PowerShell!

Note that we will work with PowerShell v2 because this version is present in almost all Windows Operating Systems versions.

Let's take a tour

To launch PowerShell command line, you can do it from the launch bar on any version of Windows, ( From Windows 7, PowerShell is integrated by default) by taping "PowerShell.exe" :

Figure 1: Launching PowerShell

You can launch it also directly from its own directory based on: "C:WindowsSystem32WindowsPowerShellvX.0PowerShell.exe," where x represents the version number

Once done, we will see like this beautiful console which represent the PowerShell Console, where all the magic is :

Figure 2: PowerShell Console

First, let's do a little help to show all the possibilities with the "Get-Help" Command :

Figure 3: Result of Get-Help Command

As specified in the result of the help command, this command will display help about Windows PowerShell cmdlets and concepts.

For this first article, we will only discover cmdlets, and for the second one all necessary basics will be threatening, but for now, let's continue our article!

You can also search specific command by using "Get-Help <term_search>," knowing that the Get-Help command support wildcards.

First, let's get it all by using "Get-help *," which will return us a huge list of help topics:

Figure 4: Result of Get-Help * Command

And let's try "Get-help *alia*," which will make us able to get only commands (and help topics) about aliases using a wildcard (just a simple example):

Figure 5: Result of Get-Help *alia* Command

Then we will try to get all aliases for current session using "Get-Alias" :

Figure 6: Result of Get-Alias Command

You can also get some examples of using a specific command (like Get-Help in this example), by using the "-Examples" option:

Figure 7: Result of "Get-Help -Example" Command

Let's discover the Cmdlets

The Cmdlets represent one of the most interesting features on PowerShell.

A Cmdlet (pronounced "Command-let") is a command that exists in the form of a .NET class instance.

It is not a simple executable. It can have attributes that are used to identify input parameters or to manage redirections with the pipeline

Cmdlets can be made with any .NET language or using the PowerShell scripting language. To display the available Cmdlets, use the Get-Command command.

Let's use the "Get-Command," which will give us all commands available possibilities:

Figure 8: Result of Get-Command Command

Otherwise, we can get only cmdlets by using the following Command :

"Get-Command -CommandType cmdlet"

As we can see, Cmdlets represent simply small scripts that follow a dash-separated verb-noun convention as "Start-Process" or "Stop-Process." We can remark that we can found Verbs with Different Actions. The structure of Cmdlets can be represented as the following :

Figure 9: Structure of Cmdlets

You can also get a little help about parameters available with the command you are using :

"Get-Help Get-Process -Parameter * | more," where Get-Process represent the Cmdlets that are being used.

Figure 10: Result of Get-Help Get-Process – Parameter *, which allows us to get parameters that can be used with the command.

And we and this part with very interesting parameters with the Get-Command command which is "-Verb" which allows us to do searches based on the Verb part (there are other filters based on the other parts of the command).

The example above represents a search using –Verb parameter which is start.

The command is the following: "Get-Command –Verb start"

Figure 11: Result of Get-Command using the parameter -Verb

We can also get information directly by using a term of search or a wildcard (here in this example with a process using wildcard example) :

"Get-Command -CommandType cmdlet -Name *rocess*"

Figure 12: Result of search using wildcards

Useful Cmdlets for pentesting purposes

We can really get interesting Cmdlets that can really help us on our pentesting context, and of course, this is not the exhaustive list of all but simply some interesting Cmdlets.

In the next articles, we will discuss all of this deeply with use cases, knowing that the first two articles represent only an introduction to the essentials of PowerShell.

In this first example, we can find some of the most interesting Cmdlets that is Start-Process, which can be extremely interesting as a post-exploitation command that can be used to start a specific process.

Figure 13: Help Command of Start-Process Cmdlets

Figure 14: Example of Cmdlets "Start-Process " which allows us, in this example, to run notepad.exe

We can also Get a specific process using an interesting Cmdlet which is "Get-Process."

This Command can be extremely interesting command especially to get the ID of the process for Post exploitation purposes

Figure 15: Example of Cmdlets "Get-Process" which allows us to get information about a specific process

There is also an interesting Cmdlets that can allow us to get the content of a file which is ''Get-Content'' Cmdlet (Extremely useful on pentests).

Figure 16: Example of Cmdlets "Get-Content" which allows us to get the content of a file

We can also find the Cmdlet ''Get-Location'' which can return the current directory:

Figure 17: Example of Cmdlets "Get-Location" which allows us to get the current directory

Of course, we can also use an interesting Cmdlet to export what we get as results into specific fort like CSV ( we can also export it in other formats ) in this example using the "Export-Csv" Cmdlet, and it can be used with a pipe as we can see in the following screenshot:

Figure 18: Example of exporting results into a CSV file

Of course, it doesn't represent the exhaustive list of interesting Cmdlets but only the most useful ones in my opinion.

Any Cmdlet can be interesting depending on the context.

But to finish, here are some interesting and useful Cmdlets that can be used.

Knowing that we will discover all of this deeper by the third article when we will begin using (really) PowerShell for pentesting purposes with some use cases (always more interesting, right?

  • Copy a file: Copy-Item source_file destination_file
  • Move a file: Move-Item source_file destination_file
  • Get Services: Get-Service
  • Formatting output: Get-Process l Format-List –property name
  • Get hash (SHA1) of a file: Get-FileHash –Algorithm SHA1 file

Conclusion

PowerShell represents one of the most interesting and powerful languages for pentesting purposes.

In this suite of labs, we will try to cover all the essentials of PowerShell in a pentesting context, but, never forget, the most important now is that you must practice all of this again and again especially in use cases (other than we will discover) because this the only solution to be perfect.

What should you learn next?

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Brace yourself; the best is coming J

Kondah Hamza
Kondah Hamza

Kondah Hamza is an expert in it security and a Microsoft MVP in enterprise security. He is also involved with various organizations to help them in strengthening of their security. Today, he offers his services mainly as Consultant, Auditor/Pentester and Independent Trainer with Alphorm.com.